Summary

Request to add a short note showing how to permit /v3/api-docs and Swagger UI when using Spring Security and running Actuator on a separate management port.

Problem

With Spring Boot 3, /v3/api-docs and Swagger UI are served on the application port, while Actuator is on the management port. When Spring Security is enabled, new users often get 404/401 for the docs unless these paths are explicitly permitted.

Proposal

Add a minimal Spring Security snippet for the application port:

@Bean
SecurityFilterChain api(HttpSecurity http) throws Exception {
  http
    .authorizeHttpRequests(auth -> auth
      .requestMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html").permitAll()
      .anyRequest().authenticated()
    )
    .oauth2ResourceServer(oauth2 -> oauth2.jwt()); // example; optional
  return http.build();
}

Actuator security remains configured on the management port; this snippet applies to the application port where /v3/api-docs and Swagger UI are served.